Virus check device and system

ABSTRACT

The present invention detects a computer virus at high speed from digital data acquired through a network using hardware in virus monitoring. With the invention, in an information processing terminal  002  capable of communicating with other information processing apparatus through a communication network  005 , a virus checking apparatus  001  constructed of a hardware circuit is disposed in the side of an input channel of the network  005  and a virus is checked from input data from the network  005  by the virus checking apparatus  001 . In order to change a virus pattern collated with the input data by hardware, the hardware circuit is detachably mounted or a rewritable logic device is used in the hardware circuit. The virus pattern of the logic device can be rewritten by sending virus definition information of a server  004  or control data generated based on this information to the virus checking apparatus  001.

TECHNICAL FIELD

This invention relates to a virus checking apparatus and system fordetecting harmful data called “a computer virus” or simply “a virus” athigh speed from digital data acquired through a storage device or acommunication network using hardware.

RELATED ART

As computers connected to a communication network increase, the amountof data flowing through the communication network increasesdramatically. In these data, “(computer) viruses” such as software forinhibiting an operation of a computer or information which a user or anadministrator does not accept are included, so that the need to monitordata flowing through a channel of a network etc. and maintain computerresources or information, etc. from the viruses is increasing.

Monitoring of such viruses is conventionally performed using dedicatedsoftware in individual computers or a data-relaying network device etc.,and is shown in, for example, Patent Reference 1.

[Patent Reference 1] JP-T-2001-508564

However, as a transfer rate of a channel of a network etc. improves, theamount of data flowing through the channel increases and because ofspeedup in such a channel, a processing speed of software cannot trackin the near future and in virus monitoring software, it is expected thata CPU load of a personal computer will increase to cause a bottleneck.

On the other hand, hardware can operate at high speed as compared withsoftware, and can monitor data of the channel at high speed with a delayreduced. However, generally, it is necessary to change a device in orderto change data (virus check patterns) of a monitoring target insidehardware for virus checking and it is unsuitable for use for coping withmonitoring target data varying every day.

DISCLOSURE OF THE INVENTION

In view of such circumstances, an object of the invention is to providea virus checking apparatus and system capable of detecting harmful data(virus) at high speed from digital data acquired through a network or astorage device by using hardware in virus monitoring.

According to a main characteristic of the invention, a virus checkingapparatus [claim 1] comprising a hardware circuit (015) which isdisposed in the side of an input channel of a communication network or astorage device and checks a virus from input data from the communicationnetwork or the storage device in an information processing terminalcapable of communicating with other information processing apparatusthrough a communication network is provided. Incidentally, forconvenience of understanding, parentheses are illustratively attachedand represent corresponding numerals etc. in embodiments described belowand are similar in the following description.

Also, according to another characteristic of the invention, a viruschecking system [claim 8] comprising a server apparatus, an informationprocessing terminal communicably connected to the server apparatusthrough a communication network, and a virus checking apparatus (001,101) disposed in the side of an input channel of a communication networkor a storage device of the information processing terminal,characterized in that the server apparatus comprises a virus definitionfile for updatably accumulating virus definition information and acontrol data (configuration data) sending part for sending control datagenerated based on the virus definition information, and the viruschecking apparatus comprises a hardware circuit (015) for checking avirus from input data from a communication network or a storage deviceto the information processing terminal, and the hardware circuit has acontrol part (021) for updating a virus pattern collated with the inputdata based on control data from the server apparatus is provided.

The hardware circuit of the virus checking apparatus according to theinvention can be configured to comprise a logic device having a datainput part (030) for holding the input data, a virus definition part forholding a virus pattern and a pattern collation part (031) for collatingthe input data with the virus pattern [claims 4, 9].

The virus checking apparatus according to the invention can beconfigured to be inserted into a medium of the input channel [claim 2]or can be configured to be disposed in addition to an interface to acommunication network of the information processing terminal [claim 3].Also, the hardware circuit of the virus checking apparatus can beconfigured to be detachably mounted [claim 5]. Further, the hardwarecircuit can be configured to be rewritable by control data sent fromother information processing apparatus through a communication network[claim 6] or can comprise a rewriting control part (021) for rewritingthe logic device based on control data sent from other informationprocessing apparatus through a communication network [claim 7].

[Action]

In a virus check according to the invention, in an informationprocessing terminal (for example, a personal computer (PC) having acommunication function) capable of communicating with other informationprocessing apparatus through a communication network (for example, a LANsuch as Ethernet (Ethernet, a registered trademark) or a wide areanetwork such as Internet), invasion of a virus into the personalcomputer etc. can be detected in real time by collating data inputtedfrom the communication network with virus feature data using hardwarefor virus check. That is, hardware can perform high-speed processing ascompared with software and a virus check is made by the hardwareinserted into the network or added to a network card (NIC, NetworkInterface Card) and thereby, harmful data, that is, a virus can bedetected at high speed to take countermeasures such as elimination orblocking of invasion of the virus.

Also, with a problem that it is difficult to change a virus definitionfile in hardware, in the invention, in order to change a virus patterncollated with input data by the hardware, a hardware circuit isdetachably mounted or a rewritable logic device is used in the hardwarecircuit. When a virus pattern of the logic device is rewritten, thevirus pattern is updated by sending virus definition information of aserver apparatus or control data generated based on this information toa virus checking apparatus.

Particularly, in the respect that the logic device is rewritablyconstructed, a rewritable logic device such as a programmable logicdevice (PLD) can be used in a virus definition and a collation part. Forexample, the PLD can easily make a change in a circuit and such a logicdevice is hardware, so that a high-speed operation can be maintained.Therefore, even when a communication network becomes faster and trafficincreases, a virus check can be made at high speed without imposing aload on a CPU of a terminal personal computer.

Further, control data (configuration data) written into the rewritablelogic device such as the PLD can be delivered from a server apparatusetc. through a communication network. For this purpose, a control partfor updating the PLD could only be disposed by adding a small CPU suchas PIC, a storage area such as Flash memory for temporarily accumulatingcontrol to the inside of a virus checking apparatus. Also, when theconfiguration data becomes large, a difference can be used or a datacompression technique can be used.

Referring to a method for delivering control data (PLD configurationdata) by the server apparatus, for example, when data has beenaccumulated in a buffer of an apparatus and communication becomes idle,a CPU (such as PIC) inside the apparatus stops a network. After the PLDis set in a rewriting mode and data is rewritten, a restart is made.When the control data has been accumulated in a buffer of a viruschecking apparatus and communication becomes idle, a CPU (such as PIC)inside the apparatus stops a network. After the PLD is set in arewriting mode and data is rewritten, a restart is made. Incidentally,it is preferable to utilize a secure mechanism of a digital signature orencryption, etc. when the control data is delivered to the terminalside.

A virus checking apparatus according to the invention can be insertedinto a channel of a network. In the case of adapting a communicationprotocol, the apparatus can be inserted into all the channels (network,IDE cable, data bus, etc.). When the virus checking apparatus accordingto the invention is used as an external apparatus of a computer, supplyof a power source is required, and a supply method is not limited and inaddition to a method for supplying the power source from a normalcommercial power source outlet, for example, the power source can alsobe supplied through a cable of Ethernet. Also, it can be incorporatedinto a network adapter of USB connection or can be incorporated into anetwork adapter of IEEE1394 connection.

Also, a virus checking apparatus can be built into a computer terminal.For example, the apparatus can be incorporated into an Ethernet adaptercard (NIC) built into a computer. Similar fact applies to a PCMCIA cardadapter for wireless LAN or a wireless LAN adapter built into thecomputer, etc.

In a virus checking system according to the invention, a virusdefinition is constructed in a hardware circuit for virus check in theside of a terminal apparatus such as a computer. In this case, the virusdefinition can also be embedded in a circuit constructed previously as aconstant. Also, a virus definition file is placed on a server andsubsequently, control data (PLD configuration data) can be generatedusing logic synthesis software for rewritable logic device (PLD). In aseries of these generation processes, all the processes may be performedon the server, or the virus definition can also be delivered to anapparatus as it is, or implementation can also be performed so thatprocessing of the intermediate stage is delivered to the terminalapparatus and the residual processing is performed on the terminalapparatus.

In a virus checking apparatus according to the invention, a virusdefinition is compared with data flowing through a channel using a logiccircuit (logic device) as described specifically in an embodiment (FIGS.3 and 4). In this case, data subjected to preprocessing (eliminationexcluding contents) is compared with the virus definition while passingthrough an input part (FIFO) of the logic circuit, and when the datadoes not coincide with the virus definition, the data passes as it isand when the data coincides (matches) with the virus definition, alarminformation is outputted and necessary processing, for example,notification of a packet to a receiving destination or deletion of apacket can be performed properly.

According to the invention, since it is constructed so that digital datapassing through a channel etc. is collated at high speed by a viruschecking hardware (virus checker) as described above, it is very usefulfor a system for performing data transfer of high speed particularlyexceeding 1 Gbps.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram representing a configuration example of the wholevirus checking system according to one embodiment of the invention.

FIG. 2 is a diagram representing one configuration example [1] of avirus checking apparatus (virus checker) according to one embodiment ofthe invention.

FIG. 3 is a diagram representing one configuration example of a viruscollator in the virus checking apparatus according to one embodiment ofthe invention.

FIG. 4 is a diagram representing one configuration example of a bytematch detector in the virus checking apparatus according to oneembodiment of the invention.

FIG. 5 is a diagram representing another configuration example [2] of avirus collator in the virus checking apparatus according to oneembodiment of the invention.

FIG. 6 is a diagram representing another configuration example [3] of avirus collator in the virus checking apparatus according to oneembodiment of the invention.

FIG. 7 is a diagram representing one configuration example of a viruscheck pattern rewriting device according to one embodiment of theinvention.

FIG. 8 is a diagram showing one configuration example of a two-way viruschecking apparatus (two-way virus checker) according to one embodimentof the invention.

FIG. 9 is a diagram representing a configuration example ofincorporating a virus check pattern rewriting device into a viruschecker according to one embodiment of the invention.

FIG. 10 is a diagram representing another configuration example of avirus check pattern rewriting apparatus according to one embodiment ofthe invention.

FIG. 11 is a diagram representing a virus check pattern rewritingconfiguration example by a PC terminal according to one embodiment ofthe invention.

FIG. 12 is a diagram representing a generation process example of avirus check pattern according to one embodiment of the invention.

FIG. 13 is a diagram representing a generation process example of acompressed virus check pattern according to one embodiment of theinvention.

FIG. 14 is a diagram representing a rewriting flow of a virus checkpattern according to one embodiment of the invention.

FIG. 15 is a diagram representing a configuration example of the wholevirus checking system according to another embodiment of the inventiondifferent from the example shown in FIG. 1.

FIG. 16 is a diagram showing details of the virus checker shown in FIG.15 and is a diagram showing one example of applying a schematic diagramof a LAN shown in FIG. 2 to a storage device.

FIG. 17 is a diagram showing details of a controller.

FIG. 18 is a diagram showing an example of being mounted into a USBcontroller.

BEST MODE FOR CARRYING OUT THE INVENTION

Preferred embodiments of the invention will be described below in detailwith reference to the drawings. Incidentally, in each of the drawings,description of elements which are not directly related to the subjectmatter of the invention even when it is necessary for operation of acircuit, for example, an element related to supply of a power source isomitted.

[Whole Configuration of System]

FIG. 1 schematically shows the whole configuration of a virus checkingsystem according to one embodiment of the invention. In a computer(numeral 002 in the drawing) which is a body apparatus, a hardwareapparatus for virus checking (an apparatus of the invention, numeral 001in the drawing) is inserted into the channel side of input to acommunication network (numeral 005 in the drawing) and this hardwareapparatus is called “a virus checker” in the present description. Evenwhen a communication network (numeral 006 in the drawing) for connectingthe virus checker 001 to the computer 002 is a medium equal to or amedium different from the communication network 005, the communicationnetwork has no influence on a function of the invention, and a wirenetwork such as Ethernet (Ethernet, a registered trademark) or awireless network such as a wireless LAN can be applied to thecommunication network. For example, there is the case where numeral 005is 100BASE-TX and numeral 006 is 10BASE-T. The computer 002 may be anyof a workstation, a Macintosh computer, a computer cluster, a largescale computer, a PDA (Personal Digital Assistant), etc. in addition toa personal computer (a PC, a personal computer) as long as the computer002 is a calculating machine or the like connected to the communicationnetwork. This virus checker can detect or block invasion of a virus intoa computer etc. in real time by collating data inputted from thecommunication network with virus feature data (virus pattern). Also, acollation function device and the virus pattern of the virus checker canbe constructed of a PLD (Programmable Logic Device) or an FPGA (FieldProgrammable Gate Array) and in this case, when necessary, the latestvirus pattern is received from a server (numeral 004 in the drawing) onthe communication network and reconfiguration can be performed usingthat virus pattern. The server 004 may be any of a personal computer ora workstation, etc. as long as the server 004 is a member which isconnected to the Internet and has the capability of delivering data toother computers. Also, the server 004 maybe directly connected to thevirus checker 001, and may be connected through a network hub (numeral003 in the drawing) having a function of relaying communication data asshown in FIG. 1, and also may be connected by a device or the likehaving a function of connecting other relays or LANs (Local AreaNetwork) each other.

FIG. 2 is a diagram schematically showing one example of connecting thevirus checker 001 to a one-way communication network. In FIG. 2, numeral005 is a communication network (data input path from the outside) intowhich data flows, and numeral 006 is a communication network of the sideof the computer 002. Numeral 013 is a processing circuit for convertingan electrical signal on the communication network into digital data witha width of one byte (eight bits), and numeral 014 is wiring for guidingnetwork data with a byte width, and numeral 015 is a virus collator forcomparing and collating byte data at high speed, and numeral 016 iswiring for guiding byte data from which virus data is eliminated, andnumeral 017 is a processing circuit for converting the byte data into anelectrical signal on the communication network. The virus collator 015is implemented using a reconfigurable device. For example, CPLD, FPGA,etc. which are products of Altera Inc., Xilinx Inc., etc. are used.Another output signal 019 of the virus collator 015 is a signalindicating that a virus is detected, and is inputted to a virusdetection notification device 020 for notifying a computer or a user ofdetection of the virus. The virus detection signal 019 informs the virusdetection notification device 020 of the virus detection and a kind ofthe detected virus. The virus detection notification device 020 canmount various functions required by the computer 002, for example, afunction of displaying information about the detected virus by an LEDetc. and notifying a user of the information, a function of blocking anoutput of virus-detected network data to numeral 006, a function ofnotifying the computer 002 of information about the detected virus, etc.In FIG. 2, numeral 021 is a virus pattern rewriting device, and recordsa virus pattern of the latest version supplied via a LAN and performs anoperation for updating the virus collator.

All the network data moving toward the computer 002 on the communicationnetwork 005 is converted into byte data by the processing circuit 013and is guided to the virus collator 015. In the virus collator 015, theguided network data is preprocessed or as it is and is monitored at highspeed by a collation circuit constructed in the inside and is comparedwith the pattern and its determination result is outputted in a properform according to use as the virus detection signal 019.

By using a reconfigurable logic device (PLD, FPGA, etc.) in implementingthe virus collator 015, when a change occurs in a virus pattern, it cancope with the change by reconfiguring the virus collator 015 into acircuit based on the latest virus pattern. Also, a circuit of this viruscollator 015 is hardware, so that a high-speed comparison can be madeand network data can be monitored without causing a long delay innetwork data communication and further imposing a load on the computer002.

The inside of the virus collator 015 can be implemented as shown in FIG.3. In the drawing, numeral 030 is FIFO for receiving network data 014and holding byte data with a length longer than or equal to a length ofa virus pattern, and network byte data 031 held in the FIFO is outputtedto a byte match collator 032 in a byte unit, and numeral 032 makescollation with a virus pattern in the byte unit. The byte match collator032 always continues to collate the inputted network byte data 031 withthe virus pattern, and can output the virus detection signal 019 at themoment when a match is detected. When numeral 015 is constructed of thereconfigurable device, the FIFO portion with a fixed configuration canbe included or not included in the reconfigurable device.

A circuit configuration, which makes collation with one virus pattern,of the byte match detector 032 is shown in FIG. 4. In the drawing,numeral 041 is a byte comparator and compares network data with a viruspattern in a unit of one byte. A string of the byte comparators 041 areimplemented and ranged as a constant comparison circuit along a list ofdata constructing the virus pattern, so that the case of matching allthe byte match signals 042 which are output signals of the bytecomparators indicates that a virus is included in data inputted from thenetwork. A match signal integration device 040 is a circuit forgenerating the virus detection signal 019 in the case of indicating thatall the byte match signals are matched.

The virus collator 015 of FIG. 3 is an example of implementing acollation with one virus pattern, but by extending this configuration,collations with plural virus patterns simultaneously can be performed.FIG. 5 shows one of extension methods of FIG. 3. This is a method fordistributing outputs of FIFO to plural byte match detectors 032 andsimultaneously making collations with different virus patterns. Theconfiguration of FIG. 4 can be used in the byte match detector 032 andthe respective byte match detectors 032 make collations with differentvirus patterns. In this configuration, a virus detection integrationdevice 033 is used in order to generate one virus detection signal 019from outputs of the plural byte match detectors 032. This is a circuitfor generating a virus detection signal 019 which is a signal indicatingdetection of a virus and a kind of the detected virus when an individualvirus signal 034 is outputted from any one of the plural byte matchdetectors 032.

Also, the virus collator 015 of FIG. 3 can be extended as shown in FIG.6. In FIG. 6, the virus collator 015 of FIG. 3, that is, a single-stagevirus collator 050 is included as its part. Then, as shown in thedrawing, the single-stage virus collators 050 are connected in cascadeform and plural virus patterns can be compared sequentially. Also, inthis case, a plural-stage virus detection integration device 052 is usedin order to integrate plural virus detection signals in a manner similarto the configuration of FIG. 5. This plural-stage virus detectionintegration device also has the same function as that of the virusdetection integration device of FIG. 5, and is a circuit for generatinga virus detection signal 019 which is a signal indicating detection of avirus and a kind of the detected virus when a single-stage virus signal051 is outputted from any one of the plural virus collators 050.

Incidentally, the method of FIG. 5 and the method of FIG. 6 maysimultaneously be applied to the virus collator 015 of FIG. 3 forextension.

An implementation example of the virus pattern rewriting device 021 isshown in FIG. 7. In this example, a rewriting pattern detector 060always monitors a network data byte 014 and when a data string having amark indicating update data of a virus pattern is detected, a rewritingpattern match detection signal 063 is generated and a pattern rewritingdevice 062 is started. A hardware configuration identical to that of thevirus collator 015 of FIG. 3 can also be used in implementation of therewriting pattern detector 060 and also another configuration having anequal function can be used. Rewriting pattern buffer memory 061 has afunction of always holding the latest data with a certain length amongdata byte strings flowing through the network data byte 014. A length ofthe data byte held by the rewriting pattern buffer memory 061 is set ata value longer than the maximum value of a rewriting pattern length. Thepattern rewriting device 062 started by the rewriting pattern matchdetection signal 063 stops data updating of the rewriting pattern buffermemory 061 through a rewriting pattern operation signal 064 andsubsequently stops an operation of the virus collator 015. Next, thepattern rewriting device 062 updates a reconfigurable device used in theinside of the virus collator 015 using a virus pattern for updating heldin the rewriting pattern buffer memory 061. In updating methods etc., aproper method is used for every reconfigurable device used inimplementation. After the updating is ended, an operation of therewriting pattern buffer memory 061 is resumed and subsequently anoperation of the virus collator 015 is also resumed.

In the virus checker of FIG. 2, the example of the case of communicatingdata in one way through the communication network has been shown, butthe case of being extended for a two-way data channel in a form of anormal communication network using this mounting is shown in FIG. 8. Inthe drawing, numeral 001 is a virus checker as shown in FIG. 2, andcommunication networks 005 and 006 are two-way networks. Communicationnetwork data inputted to a two-way virus checker 101 is separated intoflows of signals by one way by a two-way signal separator 102 and isagain integrated into a two-way signal by a two-way signal separator 102after passing through the virus checkers. The two-way signal separator102 can be implemented using a circuit called a hybrid used in a networkinput part of an NIC (Network Interface Card) for Ethernet.

Pattern rewriting of a virus collator 015 will be described using FIG.9. First, a server 004 present on the Internet or connected to acommunication network 005 through a network hub 003 etc. outputs viruspattern updating data having a particular mark to the communicationnetwork 005 in some method so as to be inputted to a virus checker 001.For example, the output can also be produced in a communication methodsuch as broadcast if possible, or a method of producing an output ascommunication data to a computer 002 into which the virus checker 001 isinserted in the input side. In the inside of the virus checker 001,communication network data is inputted to the virus collator 015 or avirus pattern rewriting device 021 as a network data byte 014, and whenthe virus pattern rewriting device 021 recognizes network data having amark of the virus pattern updating data, as described in the previoussection, the virus pattern updating data is fetched and a function ofthe virus collator is stopped and using a pattern rewriting signal 110,the virus collator 015 is reconfigured and thereafter the virus collatoris restarted.

In FIG. 9, the virus pattern rewriting device 021 is incorporated intothe inside of the virus checker 001, but as shown in FIG. 10, anexternal virus pattern rewriting apparatus 120 can also be implementedin the outside of the virus checker 001. In the case of thisconfiguration, a virus pattern can also be updated automatically bysetting the external virus pattern rewriting apparatus 120 in a state ofbeing always connected to the virus checker 001, but a rewritingoperation can also be performed by hand of a user by connecting theexternal virus pattern rewriting apparatus 120 to the virus checker 001only when it becomes necessary to perform updating.

Further, as shown in FIG. 11, a virus pattern rewriting function isarranged in the outside and is connected to a computer 002 using acommunication network 006 or by a medium different from thecommunication network 006 and a virus pattern can also be rewrittenusing software on the computer 002. In the case of this configuration, avirus checker 001 operates independently of the computer 002 at the timeof normal operation, and when virus pattern updating data arrives at thecomputer 002, the computer 002 stops an operation of the virus checker001 and rewrites and restarts a virus collator 015 through a PC viruschecker pattern rewriting interface 130 and thereby, updating of thevirus pattern can also be implemented. Also, in the case of thisconfiguration, a server 004 can also send the virus pattern updatingdata to the computer 002, or the computer 002 can also check thepresence of the virus pattern updating data to the server 004 activelyor periodically. Also, both can be used together, or updating can bechecked or operated by instructions of a user. Further, a reconfigurabledevice configuring the virus collator 015 is detached from thisapparatus and using a commercially available writing apparatus, data ofthe inside of the computer 002 is written into this reconfigurabledevice and thereby, updating of the virus pattern can also beimplemented.

The virus pattern used by the virus checker 001 may be a data stringindicating a feature of a virus body as it is or may adopt a form ofdata for reconfiguring the virus collator 015. Data for reconfigurationof this PLD etc. is called configuration data etc. and can also begenerated as shown in FIG. 12. In the drawing, numeral 200 is the as-isdata of a data byte string indicating a feature of a virus. Using thisraw data 200 which is a constant byte string, a part or all of the viruscollator described by an HDL (Hardware Description Language) forgenerating hardware for making a comparison with a constant isgenerated. An output is virus identification HDL data 202. Morespecifically, virus identification HDL generation software 201 performsprocessing for writing data of a raw virus pattern which is a constantvalue of comparison into an HDL file of a template in which a frame of acircuit is described. This virus identification HDL data 202 isconverted into the final virus pattern 204 using a program called logicsynthesis software for FPGA capable of generating configuration data fora reconfigurable device used in implementation of the virus collator 015actually from the HDL file.

When a size of the virus pattern 204 becomes large, as shown in FIG. 13,using some compression software 205, data may further be compressed tosend a compressed virus pattern 206 to a virus checker. At this time,when a pattern rewriting device 021 is built into a virus checker 001,the pattern rewriting device 021 may generate the original virus pattern204 from the compressed virus pattern 206, and also when a computer 002updates a virus pattern, software on the computer 002 may generate theoriginal virus pattern 204 from the compressed virus pattern 206. Asalgorithm used in this compression, various data compression methodsused generally may be used and also a method for sending only adifference from a virus pattern of the previous version or a method forfurther subjecting a difference to data compression and sending thedifference may be used.

An operation step of the present system including updating of a viruspattern is shown in FIG. 14. A state 300 is an initial state andimmediately after a power source is turned on, operations such asinitialization necessary as an apparatus are performed and after theiroperations are ended, the step proceeds to the next state 301automatically. In the state 301, data of the latest virus pattern storedinside the virus checker 001 is loaded into a reconfigurable device ofthe inside of the virus collator 015 and if possible, a function checketc. are made and the step proceeds to the next state 302. The state 302is a normal operation state, and data on a communication network ismonitored while a check of virus pattern updating data is made. In asubsequent decision 303, it is checked whether or not the virus patternupdating data has arrived, and when it has arrived, the step proceeds toa state 304 and when it has not arrived, the step proceeds to the state302. When the virus pattern updating data has arrived, in the state 304,updating processing of the virus pattern is performed and the arrivingupdating data is recorded as the latest virus pattern data and ifnecessary, initialization is performed and if possible, a function checketc. are further made and the step proceeds to the state 302. In thepresent system, the processing is ended by turning off the power sourcewithout performing special processing in the case of the end.

An installation method for incorporating the virus checker of theinvention into an NIC (Network Interface Card) built into a computer, amother board in which a main element of the computer is implemented, ora device such as a switching hub and a router, which are networkdevices, is also useful. Also, an installation method for inserting thevirus checker into the middle of each of the networks or the likeimplemented inside the computer is useful.

A detachable storage device in addition to a network is considered as apath of invasion of a virus into a computer. There is a possibility thata virus-affected file gets held in the inside of its storage byconnecting such a storage device to a virus-affected computer.

By adapting to a communication protocol, the virus checking apparatusaccording to the invention can also be inserted into a channel to anystorage device to which a computer can obtain access. Incorporationmethods or power source supply conditions in this case are similar tothose of the case of being inserted into a channel of a network andfurther, the virus checking apparatus can also be incorporated into abody of the storage device. In control data written in to a rewritablelogic device such as a PLD in this case, rewriting of a virus patterncan be performed using software on a computer inside a computer terminaland further, rewriting can also be performed by connecting a storagedevice for rewriting or a network to a body of the virus checkingapparatus.

By inserting this apparatus between the computer terminal and thestorage device, execution of a program or data transfer can be performedwithout imposing a load by a virus check on a CPU.

In FIG. 15, a virus checker 001 is inserted into a cable 141 ofconnection between a storage device 140 and a computer 002 which is abody apparatus. Even when a connection cable for connecting the viruschecker 001 to the computer 002 is any medium, the connection cable hasno influence on a function of the invention, and a wire network such asUSB, IEEE1394, serial, parallel, SCSI, IDE, Ethernet or a wirelessnetwork such as a wireless LAN can also be applied. Also, this storagedevice may be directly connected to the virus checker 001 or may beconnected through a relay hub on the way to the connection cable.

The virus checker collates data passing through the cable with a viruspattern and thereby, invasion of a virus from the storage device to thecomputer etc. or invasion of a virus from the computer etc. to thestorage device can be detected or blocked in real time.

When necessary, the virus checker can receive the latest virus patternfrom a server 004 on a communication network by utilizing software onthe computer 002 or by through a LAN cable 142 directly, and can bereconfigured using the virus pattern.

FIG. 16 is a diagram showing one example of applying a schematic diagramof a LAN shown in FIG. 2 to a storage device. The encoder of numeral 017shown in FIG. 2 is eliminated, but in this example, application usingthe encoder can also be performed and vice versa, application as shownin FIG. 16 in which the encoder is eliminated from FIG. 2 can naturallybe performed.

In FIG. 16, numeral 146 is a circuit for separating data flowing throughnumeral 141. Processing for encoding data decoded by a decoder 144 onceand returning the data to a channel can be omitted by inserting acircuit 145 for causing a delay while the data is separated and viruscollation of a buffer etc. is ended. The circuit 145 can also be omittedin the case of a sufficiently high-speed virus check.

An installation method for inserting the virus checker of the inventioninto various data transmission channels built into a computer is alsouseful. Also, a method for installing the virus checker into an I/O unitof a storage device body is useful.

In the case of applying the virus checker of the invention to anexternal storage body of a personal computer, a method for being builtinto a controller for controlling data communication of USB, IEEE1394,etc. is also useful. As shown in FIG. 17, the controller is providedwith a buffer 151 of FIFO etc. for temporarily holding data, and data153 is outputted from the buffer 151 to a byte match detector 152 as adata byte 154 and a virus pattern is collated. When the buffer builtinto the controller does not have sufficient size to correspond to thevirus pattern, it can be applied by disposing a buffer separately. Avirus collator has been described in FIG. 3.

An example of implementation into a USB controller is shown in FIG. 18.In the USB controller, data is temporarily buffered by FIFO called anend point 161. Also, as shown in FIG. 17, a virus collator can beconstructed by installing a byte match detector 162 in this position.When the end point 161 is singly used, it may be unnecessary to use amixer 166 and for partial matching with a virus pattern, a matchdetection signal 165 is held in a buffer 167 and is matched with thenext match detection signal by a mixer 168 and detection is performed bya virus match detector 169 and a virus detection signal 170 isoutputted. Plural end points 161 can also be used collectively. In thatcase, the match detection signals 165 from the byte match detectors 162of the end points 161 of a group are collected through the mixer 166 andare sent to the match detection signal buffer 167 and the mixer 168. InFIG. 18, numerals 166 to 169 are placed in the outside of the USBcontroller 150, but are not necessarily placed in the outside and any ofthe numerals 166 to 169 may be taken in the USB controller and the backportions from the byte match detector 162 can also be placed in theoutside of the controller.

The implementation example of the storage of USB connection has beenshown in FIG. 18, but can similarly be applied to storages withinterfaces of IEEE1394 or SCSI, etc. used in similar uses.

Of course, the virus checker of the invention can be inserted into anypositions where it is capable of identification of data of a collationtarget in addition to use of the buffer built into the controller.

Further, an anti-virus tool implemented in software currently hasfunctions such as elimination or blocking of invasion in addition todetection of a virus, but any of their functions are processingperformed after detection and by applying the present idea to adetection part, high efficiency and speedup of processing can beachieved. Conversely, by adding functions of a virus invasion blockingpart or a virus elimination part, etc. to the present detection part, anapparatus functionally identical to the current anti-virus tool can beconstructed.

The description has been made above based on the illustration examples,but the invention is not limited to the examples described above andalso includes other configurations capable of being easily modified bythose skilled in the art within the scope described in the claims.

As described above, according to the invention, it is constructed sothat data inputted from a communication network is collated with virusfeature data using hardware for virus check inserted into acommunication network channel or added to a network card etc., so thatby making use of a hardware advantage that high-speed processing can beperformed as compared with software, invasion of harmful data, that is,a virus into a personal computer etc. can be detected in real time andthe virus can be detected at high speed to take countermeasures such aselimination or blocking of the invasion.

1. A virus checking apparatus comprising: a hardware circuit which isdisposed in the side of an input channel of a communication network or astorage device and checks a virus from input data from the communicationnetwork or the storage device in an information processing terminalcapable of communicating with other information processing apparatusthrough a communication network.
 2. The virus checking apparatus asclaimed in claim 1, which is inserted into a medium of the inputchannel.
 3. The virus checking apparatus as claimed in claim 1, which isdisposed in addition to an interface to a communication network of theinformation processing terminal.
 4. The virus checking apparatus as inclaim 1 wherein the hardware circuit includes: a logic device having adata input part for holding the input data, a virus definition part forholding a virus pattern, and a pattern collation part for collating theinput data with the virus pattern.
 5. The virus checking apparatus as inclaim 1, wherein the hardware circuit is detachably mounted.
 6. Thevirus checking apparatus as in claim 1, wherein the hardware circuit isrewritable by control data sent from other information processingapparatus through a communication network.
 7. The virus checkingapparatus as claimed in claim 4, wherein the hardware circuit furtherincludes: a rewriting control part for rewriting the logic device basedon control data sent from other information processing apparatus througha communication network.
 8. A virus checking system comprising: a serverapparatus, an information processing terminal communicably connected tothe server apparatus through a communication network, and a viruschecking apparatus disposed in the side of an input channel of acommunication network or a storage device of the information processingterminal, wherein the server apparatus includes: a virus definition filefor updatably accumulating virus definition information, and a controldata sending part for sending control data generated based on the virusdefinition information, and the virus checking apparatus includes: ahardware circuit for checking a virus from input data from acommunication network or a storage device to the information processingterminal, and the hardware circuit has a control part for updating avirus pattern collated with the input data based on control data fromthe server apparatus.
 9. The virus checking system as claimed in claim8, wherein the hardware circuit further includes: a logic device havinga data input part for holding the input data, a virus definition partfor holding the virus pattern, and a pattern collation part forcollating the input data with the virus pattern.